With the growing number of illegitimate emails sent growing into the billions, the chances of one getting through your spam filters grow everyday, but what happens when its worse then spam, and confidential information is in the balance? Through this web log we will walk through a simple phishing scam and ways to protect yourself and your company.
The Victim
Sandy considered herself an avid ebayer, she used to go to garage sales ever weekend, but since she found eBay it was like having all the worlds garage sale all the time. So now instead of going out Saturday morning looking for stuff, all she had to do is log onto her computer and start searching for the things she wanted. She could look anytime she wanted.
By this point in time she was used to getting emails from eBay, and other eBayers about product and auctions she won. But today was different. Today she received an email from eBay informing her that her account information was out of date and needed to be updated, else her account may be disabled. Not wanting her account to be disabled, she clicked on the link in the email and logged into the website.
Upon logging in she was greeted with a message that informed her that her bank account number that was entered was invalid, and she needed to re-enter it to update her information. After entering the bank account she was thanked for her cooperation and informed that the account was now up to date. Glad that her account wasn’t going to get locked out she decided it would be a perfect time to check on her auctions.
The Attacker
As a web developer I found myself jumping from contract to contract, never staying at one place. This was getting ridicules though; I was out of work for four weeks and didn’t have any prospects for a new contract any time soon, to top it off I didn’t have any savings left. So I figured I would put my skills to work for myself, and create “my eBay.” It would be a place for eBayers to come, and give me access to their accounts information.
The plan was simple really, just lift eBay’s layout so that people thought that they where really at eBay when in reality they where logging into my site. Once logged in I asked nicely for there personal information and thanked them kindly. I always found people where much more responsive when you thanked them after a job. So I went about setting it up, the site and sending out emails to possible eBay users.
The Description
Phishing is a form of Social Engineering where in one form an email will pose to be from a legitimate company. This email is normally phrased in a way to eliciting information from you that could cause the loss of company, financial, or personal information. It elicits this information by building credibility as the legitimate company, then create a plausible, and urgent reason for you to act on that information.
This could be through the use of a form in the site that looks like it sends the information back to the legitimate site, but in reality send the information to the fraudulent site, or executing an action on the phishing server. It is also implemented through fake sites that mimic the legitimate location, and may even pass-on you and your credentials to the legitimate site after acquiring the information they desire.
- Phishing is a psychological attack and as such requires psychological training to combat them. The best course of action is to be aware that these types of attacks are possible, and to be wary of any email that elicits private information.
- Credible sites should never request any personal information through an email. If you do believe that the email is legitimate and that the site needs information always go directly to the site from a web browser, and not through links or forms provided in the email itself.
Phishing is a growing way of obtaining private information from people, avoiding the difficulties normally associated with breaking into the system itself. Effectively eliminating many of the safe guards a typical security perimeter implement for protection; leaving corporate, financial and personal information protected only through you or your users ability to decipher legitimate emails from fraudulent ones.
There is no golden bullet to prevent phishing, however there are things you can do to reduce the threat. First is to understand the phishing is more that spam, it’s more like a virus. For corporations email addresses from the website should be removed, and address standards reviewed, to verify that they aren’t easy contrived. Next education is crucial to increase Phishing awareness and appropriate responses, such as the ability to proper identify phishing attempts, through verification of the sender, message content, and links.
No comments:
Post a Comment